Microsoft’s first Patch Tuesday of 2026 addressed 112 vulnerabilities throughout Home windows, Workplace, Azure, Edge, SharePoint, SQL Server, and a number of other core Home windows companies.
When third-party Chromium fixes are included, the full climbs to 114 CVEs.
The January launch consists of eight flaws rated Important, with the remaining points categorised as Essential, a mix that safety groups say requires pressing patching.
The standout challenge this month is CVE-2026-20805, an info disclosure vulnerability in Home windows Desktop Window Supervisor (DWM). The bug permits attackers with native entry to leak small parts of reminiscence, which may weaken system defenses and make different assaults extra dependable.
The bug carries a CVSS rating of 5.5, which can look modest on paper. However researchers warn its real-world impression is much extra severe. The US Cybersecurity and Infrastructure Safety Company (CISA) has now added the flaw to its Identified Exploited Vulnerabilities Catalog.
Past the exploited flaw, Microsoft highlighted a number of different severe points on this month’s launch. The most extreme vulnerabilities embrace:
- CVE-2026-20947 and CVE-2026-20963, each affecting Microsoft Workplace SharePoint
- CVE-2026-20868, impacting Home windows Routing and Distant Entry Service
- CVE-2026-20952 and CVE-2026-20955, affecting Microsoft Workplace
- CVE-2026-20944, impacting Microsoft Workplace Phrase
Microsoft additionally flagged eight vulnerabilities with CVSS scores of seven.8 as “exploitation extra seemingly,” signaling elevated threat even when energetic assaults haven’t but been noticed.
Safe Boot certificates increase one other warning
January’s patches additionally draw renewed consideration to the Safe Boot certificates expiration, tracked as CVE-2026-21265.
Microsoft warned that Safe Boot certificates issued in 2011 will start expiring later this 12 months. Techniques that aren’t up to date in time may cease trusting new boot loaders—or fail to obtain future safety updates.
In contrast to most vulnerabilities, this one isn’t about fast exploitation. As an alternative, ignoring it may go away techniques unprotected or unpatchable later in 2026.
Legacy drivers lastly proven the door
Microsoft additionally used this Patch Tuesday to wash up long-standing legacy dangers.
As a part of the January updates, the corporate eliminated outdated Agere and Motorola Mushy Modem drivers linked to older elevation-of-privilege vulnerabilities. These drivers have been end-of-life for years, however have been nonetheless transport with Home windows. For many customers, the change will go unnoticed. Nevertheless, organizations counting on legacy {hardware} could must make changes.
With confirmed exploitation already underway, safety groups are being urged to patch rapidly, particularly for Desktop Window Supervisor, SharePoint, and Home windows networking companies. Limiting native entry, implementing least-privilege insurance policies, and monitoring for uncommon exercise may also cut back threat till patches are totally deployed.
The total listing of vulnerabilities fastened in Microsoft’s January 2026 Patch Tuesday is out there from the Microsoft Safety Response Middle.
Additionally learn: A important Zoom vulnerability put Home windows customers in danger, and Zoom has launched a patch that organizations ought to apply instantly.
